Website hackers hijack Google webmaster tools to prolong infections

Lucian Constantin |
Sept. 14, 2015

Webmasters should regularly check the list of verified owners for their websites in the Google Search Console.

When a new owner is verified for a website, existing owners will receive email notifications from Google. However, those notifications can be easy to miss for a variety of reasons -- for example, if they go to an email address that's rarely checked, if they get lost among other automated and non-urgent notifications received on a busy day or if they arrive during holidays or vacations.

If the legitimate owners don't read the notifications and take immediate action, the attackers can actually remove them from the Search Console verification list by deleting their HTML verification files from the server. This will trigger no notifications to the real owners, according to Sucuri senior malware researcher Denis Sinegubko.

If Google later detects a website compromise and automatically alerts its verified owners, only the attackers will get the notification, Sinegubko said. They can then temporarily remove their doorways, request a review from the Google antispam team to get the website unblocked in search results and put the doorways back with different URL patterns, he said.

If the real owners are no longer verified, it will take them a long time to realize that something happened, if they ever do. Meanwhile, the attackers will continue to exploit the website.

Even if the real owners spot the rogue owners, it's not always easy to remove them.

The Sucuri researchers have seen tricks used by attackers that rely on URL rewrite rules in the htaccess configuration file and dynamically generated pages. These will result in Google's verification robots detecting the necessary HTML files even if they don't physically exist on the server and the real administrators can't find them.

Webmasters can take several actions to prepare themselves for such attacks, according to Sinegubko.

First, they should make sure that they verify themselves as owners for all of their websites, even if they don't plan to use the Google Search Console very often.

When they do this, they should opt for alternative verification methods that Google accepts and which are not easy to remove without attackers also compromising their Google or domain registration accounts. This will prevent attackers from removing their verification by simply deleting files from the server.

"In most cases it means that they had full access to your site, so you should close all the security holes and remove any malicious content that the hackers might have already created on your site," Sinegubko said.